[CSCripMa]

Hi,

Do i need not let people write ' and " ? is that escaping already or it's not harm, i mean talking about syntax's errors.

[SickAttack]

On the chat? Well, no. Nothing happens if they use those characters.

In a script use, ' and \".

' = '
\" = "

[CSCripMa]

I'am talking about mysql queries:

update table set text='%s'


%s is text from variable, it contains saying that:

knlb'gas";qweasd

Then query look:

update table set text='knlb'gas";qweasd'

Structure looks that query will end at update table set text='knlb' i'am right or no? do i get syntax error?

[zPain]

Double the single quotes in order to escape them.

PHP код:

UPDATE table SET field='Tes''t' 


[CSCripMa]

Escaping doing it already, or i need to it myself? because it will be text from variable.

[Jefff]

Yes you should escape every player text WHERE text = '%q' or in mysql_format %e

[Abagail]

Escaping doesn't have anything to do with syntax errors. The point of escaping is to rid a query of potentially exploiting and navigating away from the desired query(example: putting an arbitrary value that isn't desired by the server, but will help you).

The MySQL plugin(the one by BlueG, currently maintained by maddinat0r) provides a mysql_format function with %e, which escapes the string during formatting(the function has the same syntax/usage as the format function).

The plugin also provides a native mysql_escape_string function to escape a string,

pawn Код:

native mysql_escape_string(const source[], destination[], connectionHandle = 1, max_len = sizeof(destination))

http://stackoverflow.com/questions/6...ring-really-do may help you better understand what happens when you escape a query string.